If you read carefully, they don't deny what Reuters reported: taking $10M to make the RNG default.
Reuters: "Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract."
And now the response.
RSA: "Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation."
---> Only one part of the first sentence needs to be untrue for the allegation to be deniable. RSA did not incorporate a "known flawed" RNG, because it wasn't at that time. And that's not what the alleged contract was even about, but to make default.
RSA: "We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it."
---> Focus on relationship not being secret, but contracts may be.
RSA: "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."
---> They had not positively known the RNG is flawed.
> Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
Wrong RSA is denying incorporating "a known flawed random number generator" into BSAFE in 2004. Elsewhere in the same press release RSA states that they did not consider Dual EC DRBG to be considered flawed until September 2013 despite being aware of concerns dating back to 2007. Therefore in 2004 when RSA added Dual EC DRBG into BSAFE it was not "a known flawed random number generator".
They also admit to a business relationship with the NSA but refuse to discuss it.
It was 'known flawed' in 2007. What was not know was whether or not anyone possessed private keys that would have made that known flaw a known exploit. The knowledge that the NSA did indeed have a backdoor didn't come along until Snowden.
All they deny is that their secret contract with NSA didn't require them to incorporate "a known flawed RNG".
They do admit that they agreed to incorporate that specific RNG for the money, that such a contract existed.
They do admit that the contract was secret - the explicit influence it was not disclosed to the customers of that product.
In essence they deny only that the specific RNG was known to be flawed, but don't even apologize for the fact that they had a clear conflict of interest that they didn't disclose to customers at the time, and didn't treat "please use method X, we'll pay you" as an unacceptably suspicious request in the first place.
Actually, because they were writing doublespeak, they said nothing of the sort. Since they declared NIST the ultimate arbiter of encryption quality, by definition they didn't do anything wrong.
This appears to be a strong denial, which they support by claiming that NSA was successfully promoting Dual EC DRBG as a better RNG to NIST and the tech industry. That is, they were being misled as much as anyone else who believed the NSA regarding Dual EC DRBG.
That sounds good. But the don't even go near the heart of the matter, which, from the Reuters report is:
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
RSA does not deny that they took $10M to use Dual EC DRBG as the default in BSafe. Nor do they say why they did, if there is a reason other than that the NSA paid to make it so. They do not say why they took a sum which boosted their revenue by over 30% in return for no deliverables other than a change in default configuration - a couple minutes of work.
Because it's really hard to argue in favor of that particular RNG. It's kludgy, it's slow, the quality of the numbers out of it— by basic RNG tests— are not very good.
They could have tried to suggest all other options were weak for secret reasons but that seems like a pretty big risk.
I thought the whole point here was that Dual EC DRBG was clearly better at the time.
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
Clarification: The argument was not that it was clearly better, but that RSA believed the NSA could be trusted to have good intentions. This makes changing a bit more suspicious, but i guess the argument is that it wasn't suspicious enough to... reject $10M?
Worth noting: as I understand, it boosted the revenues of that specific business unit by 30% - the whole of RSA has much more than $20m of revenues.
If so, it's interesting in a "oh, it's like the Enron team in Arthur Andersen taking down the entire practice for a relatively small sum of money" kind of way...
Well they are either stupid and shouldn't be trusted with security matters or they are lying sacks of shit.
Yes technically NSA probably didn't tell them at the time what the weakness is but getting $10M under the table to change a default and not asking questions is either incredible stupidity for why that might be, or they are are just lying, they figure out why that might be and did it anyway. (Yes they probably never put it in writing in any of the internal memos or emails).
Either way they lost credibility and shouldn't be trusted with security matters. Hope that $10M was worth it.
the thing is, i'm pretty sure the weakness in DUAL_EC_DRBG has been public knowledge for a while. this paper detailing the vulnerability came out in 2007, and shows how fundamental the weakness really is:
They're just saying this because it's classified and will never see the light of day that they were actually adding a backdoor. Or maybe they're just playing word games. The only thing to go by are the facts. The facts are that RSA added an NSA backdoored feature as default into their products and were paid for it.
Could they, legally, do anything but deny? Shareholders could sue, customers could sue, I could probably sue... seems like a strongly worded legally air-tight denial is their only practical option. Plus it might be illegal to divulge classified info
I hope this is true, and not merely plausible deniability, because I was saddened by the initial reports.
The first bullet starts out very strong. In fact it has the feel of taking NSA by the neck and helping them along to the underside of the bus (and bravo for that): "At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."
At that time. Had a trusted role.
The second bullet ("one of many choices ...") was ... eh.
The third and fourth bullet were basically RSA explaining that their actions are determined by others. First they relied upon NIST to stay with it, then at the last minute they followed NIST's belated lead and recommended against it. I would have thought they had enough smart and responsible people within RSA to determine whether Dual EC DRBG was safe and effective or not.
Still, loud applause for turning the NSA's head toward the underside of the bus.
That would be hard. Reuters have not reported that RSA took $10 million, they have reported that documents leaked by Snowdon claim that RSA took $10 million.
>we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.
> We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it.
"Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation."
The emphasis is mine. This quote allows for the possibility that they entered into a contract with the NSA to incorporate a random number generator that was not yet known to be flawed.
Why the hell would the NSA offer MONEY for you to adopt their encryption proposal if it was actually legitimately good?
It doesn't matter if you have any other information on the security of the algorithm; the fact that they're offering you money should speak for itself.
Well, the NSA has a track record of making public encryption algorithms stronger. They proposed changes to DES which puzzled researchers at the time, but years later were shown to significantly harden the algorithm against some attacks.
I don't have the citation on hand right now, but if I recall correctly their recommendations strengthened DES against mathematical attacks, but weakened it against brute-force attacks.
I don't know what it means to weaken DES against brute-force attacks, but, if I recall correctly, their changes did weaken it against linear crypto analysis. Their change was to replace the random constants of DES's s-boxes with their own constants. They have since then published the criteria that they used to generated these constants. Based on the fact that everything I have read on the subject, and talking with several cryptographers, says that the change was to strengthen DES against differential crypto-analysis, I think it is reasonable to believe that this is supported by looking at how they generated the constants.
NSA suggested decreasing DES's key size. IBM ultimately agreed to use effectively 56-bit* keys. This by definition makes brute force attacks easier. It was apparently criticized at the time, but it's worth noting that there's nothing secretive about it -- it's a basic and obvious element of the algorithm.
The public cryptographic community started brute-forcing DES keys for fun in the '90s; with the NSA's budget, they could have been doing it from the beginning.
* DES keys are 64 bits, but 8 bits are for parity, so the meaningful key length is 56 bits.
The NSA is really bizarre because they have two missions: 1) to break encryption and spy, and 2) to make better encryption so the enemy can't spy on the U.S.
It makes sense if you think about it: Both goals are useful to Uncle Sam and both require the same skill set. The trouble is it obviously creates quite the conflict of interest.
It doesn't make sense. It's set up that way for historical reasons, and because the folk in charge have always really prioritised 1) over 2), and hence have had no motivation to suggest a better alternative.
While a separate organisation might be best, even a division within NSA etc. explicitly tasked with protection rather than intelligence gathering would be preferable to the status quo, so long as its head could be publically known. In the end it comes down to there being no individual with that responsibility. You need someone who is visible in that role, whose mission is purely to protect, overseeing a staff whose mission is purely to protect.
Because while the NSA would love to backdoor your application, they also want to be the only ones who backdoor your application. The NSA would still want to promote security to prevent other malicious attackers from being able to exploit a domestic corporation bad security.
It's in the best interests of national security for the NSA to promote both good and/or backdoored algorithms for all allied nations and their corporations.
Well, they're clearly claiming that the "secret contract" as reported did not exist.
If you're going to call them out on being liars about that (go for it!), might want to make it less ambiguous.
For all its worth, I think RSA probably did help out the NSA with Dual EC DRBG, but:
a) Until I see some source documents from Snowden's stash, it's going to be all very annoying because until you see the terms of the contract (and no, you can't just go by some journalist's summary), you have no idea what RSA/NSA are dancing around
b) Whatever deal there was was probably set up in some fun way to make it all nicely deniable and even plausible sounding.
> Well, they're clearly claiming that the "secret contract" as reported did not exist.
Crap. They're only denying a carefully-worded strawman. They leave open:
1.) Adding support for a known-flawed PRNG for free and then entering into a secret contract with the NSA to make the already-supported PRNG the default.
2.) Entering into a secret contract with someone else (FBI?) to "incorporate" a known-flawed PRNG.
3.) Entering into a secret contract with the NSA to use a PRNG that they didn't yet know to be flawed because they didn't look at it.
Edit: You're right, they did deny it 'as reported', with "Recent press coverage has asserted ...". This could involve a creative reading of "[r]ecent press coverage", or a lie.
Edit: Also, "Crap." wasn't directed at you. I'm sorry. It was directed at RSA; these stories always get me in a lather.
The other thing that gets me is what while they sort of hint that there was no such secret contract, they simultaneously (and rather clearly) state that they cannot divulge customer contracts. So, whether or not it's a "secret" contract is moot; they aren't going to release information about any and all contracts. I guess that effectively makes them all secret, but it seems to me that debating whether or not these contracts are or are not secret is a pointless endeavor. We cannot find out the details of them through RSA (they are contractually obligated not to provide this information), so we must instead rely on the leaked documents Snowden has been providing, assuming it's true. And it probably is.
I think the real kicker here isn't that RSA was intentionally including maliciously modified algorithms as much as the NSA simply bribed^Woffered them $10 million to, err, "prioritize" its inclusion. This is probably more a lesson on distrusting government offers for lucrative contracts in exchange for nifty tools more than anything, IMO.
They also said "... we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products ...". You know, I'm having trouble finding a hole in that one. The full sentence is:
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."
Maybe it hinges on misleading commas and the odd "for anyone’s use" part. With some gymnastics, I might be able to interpret that as meaning "we have entered into a contract and engaged in a project with the intention of weakening RSA’s products for some people's use".
They only say that they've never entered into a contract with the intention of weakening their products, not that they've never entered into a contract that did weaken their products without realising it at the time.
The doublespeak is desperate and only undermines their credibility. Obviously they are in a proverbial 'between a rock and a hard place'.
Anyone who bothers to read this carefully and knows the backstory about the general understanding that the DRBG was weak realizes that there is no way RSA could have not known it was compromised and they have pretty much completely confirmed the reports.
In truth, I'm not sure what is worse: that they did or didn't know what they were doing.
Also remember that RSA was initially deceptive to their customers regarding the extent of the SecureID compromise a couple of years ago. Their conduct during that compromise makes it difficult to trust statements they make now.
Reuters: "Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract."
And now the response.
RSA: "Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation."
---> Only one part of the first sentence needs to be untrue for the allegation to be deniable. RSA did not incorporate a "known flawed" RNG, because it wasn't at that time. And that's not what the alleged contract was even about, but to make default.
RSA: "We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it."
---> Focus on relationship not being secret, but contracts may be.
RSA: "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."
---> They had not positively known the RNG is flawed.